Hilton Hotel

Social Engineering: Penetration testing hotels

At the last TechEd Africa, Microsoft put all the speakers up in The Hilton in Durban. It was around 4AM (a few hours before the closing keynote), and @rmaclean, some other speakers, and myself, decided to see how hard it would be to get into someone’s room.

We came up with the following routine: One person pretends to be almost blackout drunk, and then another sober person helps them to the front desk. The sober person explains that they are trying to get this drunk friend back to the drunk friends room, but they don’t have the key.

Continue reading

SterKinekor vulnerability to download millions of user accounts

I just finished my DevConf 2017 talk entitled All your data are belong to us: Reverse-engineering API’s, web scraping, and the details of how I gained access to 7 million Ster-Kinekor accounts.

This blog post is a rough summary of the Ster-Kinekor part of that.

MyBroadband has done a piece on this: Massive flaw in old Ster-Kinekor website leaked clients’ private data 

It’s worth noting that nothing here is particularly advanced, and neither is my security knowledge – which is sort of what makes this scary.

If you don’t want to read the details, here is a summary:

Ster-Kinekor had a vulnerability in their site/api that allowed anyone to get the profile details of every single user in their system. Those details included names, addresses, phone numbers, and plain text passwords (amongst a lot of other fields that you can see below).

To be clear, this wasn’t a hard thing to find at all, and from Ster-Kinekors side, it was just pure negligence. Not only did the API hand off details to anyone, they were also storing password in their database in plaintext (and returning those to the client!).

Continue reading

Moving a Unity Animator component to its parent


In VALA I’ve been animating a cut-scene, and made the silly mistake of putting my Animator component on the character instead of on a root object. This means that the Animator isn’t able to move anything except the character (because they are not in the same hierarchy).

In the image below, my Animator was on Scientist, instead of ScientistRoot, meaning that I couldn’t use it to animate ScientistTerminal when he touches it.

animator

So here is a quick tip to move the Animator to the root GameObject – which Unity doesn’t support, but really should.

Continue reading

Some details on the eThekwini Municipality vulnerability

Here are some extra details on what happened yesterday.

Here is the MyBroadband article for context.

Timeline

At 12pm 7 September a colleague of mine received the email from eThekwini, and told me the password was in plain text.

Presumably they were staging emails because at at 4:31pm 7 September I received the same email. The password was in plain-text, and was my actual password, not a newly generated one.
This means they were either storing the passwords in plain-text, or encrypting them and storing that – both of which are obviously bad, because if they can decrypt it, chances are so can someone else.

Continue reading

FlappyHand: Unity3D game with an ESP8266 Arduino (Wemos) controller over WiFi

I thought it would be fun to make a little FlappyBird clone using an ultrasonic sensor as the controller.
So I threw this together yesterday:

What you’re seeing there is an ultrasonic sensor on the table reading how far my hand is away from it, then it sends that value over WiFi to the Unity3D game, which then maps that to the plane movements.
Continue reading

PriceCheck for Windows and Windows Phone

 

We developed the PriceCheck app for Windows and Windows Phone.

Use your Windows device to browse and search for products on PriceCheck from South Africa’s latest catalogue offers, wherever you are. Once you’ve decided which product you would like to buy, you can use the included store locator, maps and merchant contact details to find a relevant stockist. Other features of the PriceCheck app include:

– Location Based Search
– Browse Catalogues
– Store Locator and Directory
– Product Details – price, description, images, reviews
– Search history


Unity3D Mesh Collider vs. Box Collider

Logic tells us that a box collider in Unity3D will be more performant than a mesh collider simply because it is less complex. But I had an impulse a couple days ago to test it out myself. This doesn’t really scratch the surface of every use-case.

I went to the AssetStore and picked out a fairly simple free armchair model. I then made two different prefabs, one with a convex mesh collider, and the other with a box collider.

Chair collidersThen I made a script to spawn a 40×40 grid of a type and let them fall onto two planes. That means a total of 1600 armchairs were doing discrete physics updates, which will kill even the best of the PC master-race.

 

On the left side we have the mesh collider, and on the right is the box collider. Click the gif to goto a full-size version which has a bar to manually scrub through.

As expected, the summary is that the mesh collider is incredibly slower (sometimes even 20x slower) than the box collider. And in this case the mesh collider is actually pretty simple. Something worth pointing out is that although the graphs sort of line up, their scale is totally different, so take a proper look at the number on it.

 

Now for bonus points, here is a pretty scene of a stupid amount of spheres attacking the streets of New York.

Nuget: Your project.json doesn’t list ‘win10-x86’ as a targeted runtime

Recently I was working on a small UWP app on my SurfaceBook and everything was fine. But when I pulled the code from GitHub down to my main machine I got the following error:

Your project.json doesn’t list ‘win10-x86’ as a targeted runtime. You should add ‘”win10-x86″: { }’ inside your “runtimes” section in your project.json, and then re-run NuGet restore. 

After a while I figured out that this error is totally misleading, and the real problem is that your Nuget package source has been disabled. I have a feeling this was related to installing Visual Studio 15 preview.

Anyway, to fix it: Click Tools > Options > NuGet Package Manager > Package Sources, and then re-enable (or re-add) the sources.NuGet Package Manager

Full Netflix vs ShowMax South Africa Catalogues

A couple of years ago I wrote a guide for getting Netflix in South Africa, which still gets thousands of hits a month. A lot has changed since then – notably, Netflix has finally launched in South Africa, and a bunch of local VOD services have launched (ShowMax, Vidi, and some other small ones).

But even though Netflix is now in SA, the content is really limited. This isn’t Netflix’ fault, but comes down to licensing and what makes commercial sense. For this reason, the guide linked at the top is still 100% valid, and will open up tons of extra content.

Since the Netflix SA launch there has been lots of media comparing Netflix with ShowMax (and others), however none of them really go into any detail, and the actual data they have seems pretty inaccurate.

So I crunched the numbers!

Netflix vs. ShowMax January 2016 Continue reading